Frappe Assistant Core: Dead Code Tool with Critical SQL Injection Vulnerability Removed

A critical SQL injection vulnerability has been eliminated from the Frappe Assistant Core project by removing a dormant but dangerous piece of code. The vulnerability resided in the `create_visualization.py` tool, which had been intentionally disabled but remained physically present on the system. This dead code posed a latent security threat, as it passed raw, user-supplied SQL queries directly to the `frappe.db.sql()` method without any sanitization, creating a direct path for potential data manipulation or exfiltration.

The tool, located at `plugins/data_science/tools/create_visualization.py`, was formally unregistered from the plugin registry in a prior commit (`7215bfba`). However, its continued presence on disk represented a significant security liability. The risk was not theoretical; the issue was tracked as #125, and a related pull request (#128) to address the accidental re-enablement risk had already been closed, highlighting ongoing internal scrutiny of the flaw. The fix simply deletes the vulnerable file, a clean and definitive action to close the security gap.

This removal underscores a persistent challenge in software maintenance: managing technical debt and ensuring that deactivated components do not become backdoor vulnerabilities. While the tool was never integrated into active test suites, its deletion is a necessary hardening step for the Frappe ecosystem. The action mitigates the risk of the vulnerable code being inadvertently restored or activated in future development, securing the application's data layer against a well-known class of attack.